I am planning to use my new F5 LTM to load balance Windows Server 2003 print servers. For the moment, it doesn't work for me: I can see the shared printer but I can't map it.
Has anayone already "played" with LTM & MS print servers ?
Here's the new link to the guide for creating the WMI monitor. As I recall it was pretty straightforward. I'm even using the same interval and timeout. Looking at my monitor properties, the only thing I see that is different is my alias service port is 3389 and the external program path is /usr/bin/monitors. Also, you'll need to enable remote WMI requests on the win2k8 boxes if not already enabled.
I'm also fighting with MS print servers behind the BIG-IPs.
Based on the two Threads here in the Forum we configured nPath as described and also configured a loopback on the print servers with the VS IP-address. Also the two mentioned Registry tweaks were implemented.
But we still only get the listing working, nothing more. With setting the Metric for the loopback to 2 nothing was working, also ping monitoring from the LB to the print server was red then. That's why we removed it again.
Basically I'm also wondering why nPath routing is necessary at all. Normally nPath routing will only be used if you have a huge amount of outgoing server traffic, which should not go through the BIG-IP (to save resources and internal throughput). From a technical point of view nPath or having SNAT enabled should be the same, only difference with SNAT you have one additional hop for the response.
So can someone explain, why nPath is technical required for MS print servers? And does anyone has an additional idea, why it's not working for me? Btw. the result, that only listing is working is the same using nPath or SNAT.
Post your config and I'll compare to my working setup. Do you have the service port set to 0? My configuration is based off a lot of trial and error and a little less understanding. It does work though. I've been serving ~700 queues for a little over 2 years with multiple gigabytes of traffic going through the VIP every day.
03-May-201103:42 - last edited on 31-May-202315:30 by JimmyPackets
Hi Chris,
as I'm only responsible for the Loadbalancer I can only provide this config (I hope the server guy has done his job correctly as well, he mentioned that he want's to test some additional things these days, but didn't get any feedback yet):
virtual mltprtp01 {
destination 10.10.10.10:any
translate address disable
profile fastL4_print_profile
pool printer_cluster_mltprtp01
vlans Productie enable
}
pool printer_cluster_mltprtp01 {
action on svcdown reselect
monitor all check_mltprtp01_tcp_445
member 10.10.10.20:any
member 10.10.10.21:any
}
monitor check_mltprtp01_tcp_445 {
defaults from tcp
dest *:microsoft-ds
}
profile fastL4 fastL4_print_profile {
defaults from fastL4
tcp close timeout 51
loose close enable
}
As you can see the VIP is in the same subnet as the printservers, but I hope this is not a problem.
Thank you for any additional ideas or information.
Ciao Stefan üôÇ
VIP in the same subnet shouldn't be an issue. Your config looks fine to me. I can remember having the same issue you are dealing with. I just can't remember the change that fixed it. If you can't see the windows config though, I'd just about guarantee that is where your problem is.
The way I remembered why npath routing is needed is because the packet capture showed that the F5 will NAT the IP address in the tcp header but not on the tcp data. TCP data still showed the virtual server address. So, when the request is sent to the print server with the virtual server address, the print server rejects it.
When you configure a loopback address on the print server which is the same as the virtual server address, the print server will accept the request because it knows that as a loopback address.
We had frequent issues with that design where the server group had to restart the services or the server but now it seems to be ok. Most of the problems were related to the config on the server side.
In the meanwhile I got feedback from the server guy and he got it working now.
He enabled "Client for MS networks" and "File and Printer Sharing" on the loopback adapter and printers can now be mapped.
This is maybe interesting for someone else.
Btw. he mentioned that the two Registry tweaks were only implemented on one print server and the other one is working fine as well. But maybe this depends on the OS of the print server. I don't know which version they are running.
No SNAT needed! The original client IP is preserved and the return traffic from the print server goes directly to the client. F5 just does the transparent load balancing.
04-May-201100:27 - last edited on 31-May-202315:30 by JimmyPackets
Hi Meena,
my question was not if SNAT is technical required, but if it's also working with SNAT enabled.
As I mentioned in my previous post, MS printing service has nothing to do with nPath routing. Based on the findings with the destinationIP in the TCP header and data part, the only requirement is the loopback adapter on the print servers.
I tested this with my server guy and I can confirm now, that it is still working with basic and default Loadbalancer settings, following is our current setup:
virtual mltprtp01 {
destination 10.10.10.10:any
snat automap
translate service enable
persist source_addr
pool printer_cluster_mltprtp01
vlans Productie enable
}
I also get confirmed from the server guy, that he is not using the two mentioned Registry tweaks. The print servers are running on w2k3.
Maybe this is helpful and interesting for someone else as well.
Stefan, that's good to know. What Big-IP version are you running? I never thought to test using a standard config after upgrading. I think I was on 9.4 for the original setup. Since you got it working with a standard config, are you going to test tcp optimized profiles and one connect?
I have to make a little correction on my second last post. Today we realized again problems and it wasn't working anymore (not sure why this happens today).
But we found the critical option on the LB, it's the Address Translation, which is enabled by default. It needs to be disabled for the MS printing service. All other settings can stay on its default values, no TCP- or fastL4 profile modifications and also SNAT can be used.
Based on the findings from Meena, that the IP-address in the TCP-data part will be used I thought it shouldn't matter if this option is enabled or not (so I choose the default setting).
To summarize my findings:
- we are using 9.3.1 and w2k3
- print server with loopback adapter (same IP as the VS)
- enable "Client for MS networks" and "File and Printer Sharing" on the loopback adapter
- the two Registry tweaks are NOT implemented
- VS and poolmembers with the "any"-port option
- disable Address Translation on the VS
- all other settings on the LB can stay at its default value or can match you individual preferences
- if the Default Gateway of the print server is not pointing to the LB, I prefer to enable SNAT to have a clear traffic flow and no asynchronous routing (makes things complicated especially during troubleshooting), but it will also work with SNAT disabled (doesn't matter from a technical point of view)
I'm in the process of building a new 2008 print server environment and wanted a better health monitor for print services. Following the instructions in the article below, you can create a health monitor for anything that can be queried via WMI (windows service state, cpu, memory, etc.). The title is kind of misleading as the benefits go much further than just terminal services monitoring, but the info is huge for me. Figured it was worth pointing out....
Stuck at the moment. I can map the printer fine if I connect through the VIP (eg. \\192.168.0.10 and double-click on the printer). But if I map the FQDN (eg. \\virtualserver.mydomain.com and double click on the printer) I get the error "Operation could not be completed (error 0x00000709). Double check the printer name and make sure that the printer is connected to the network."
This is Win2K8. Registry settings DisableLoopbackCheck, DisableStrictNameChecking, and OptionalNames are set. F5 Service Ports 0 (All services) are set on the Virtual Server and Pool config. Not sure what to do at this point, would appreciate any help! I have access to the F5 and the servers.
Also have a look at this. I don't have DNSOnWire enabled on any of my print servers, but every environment is different. Perhaps this is the fix for you.
IMPORTANT: This thread has confused quite a few people - npath is not necessarily required to get MS file and printer sharing to work. It is entirely possible to set up a simple network topology, not Npath, and use a SNAT (automap etc).
The following config worked once the Microsoft server requirements were satisfied:
- Standard virtual using SNAT automap, mapped for all ports, no port translation, to a pool with members mapped on all ports. You can use a custom tcp monitor with an aliased port (click "Advanced" in the monitor config) to monitor the all ports pool.
MS server configuration requirements (was Windows Server 2003 in this case - would appreciate feedback in this thread regarding requirements identified on other Windows versions):
- Disable Strict Name Checking
- Configure Optional Names (the DNS Name of the Virtual Server)
I suspect kerberos to be involved and I would like to see packet captures before and after the change but do not have time to do a repro.
If using npath, this will likely be needed: Disable Loopback Check
Details of the registry settings:
Locate and click the following key in the registry:
Keep in mind when this thread was created about 90% of Devcentral focused on load balancing web servers. There was nothing from F5 and next to nothing on the net regarding hardware load balancing print servers. Based on Meena's thread and what I had found elsewhere, that config worked for me. Considering how many hits this thread gets, I dare say it has helped more than it has confused. You are correct though, npath is not necessarily required. I had more control in the design of our 2008 print environment and don't use npath in it. As with anything, test and see what works best for you.
We've just implemented a print server "load balancing" solution using our LTMs where, instead of distributing print jobs across 2-3 print servers, we used priority groups to ensure traffic always goes to a certain print server if it's online. The other server (pool member) with a lower priority would only get the print jobs if the primary was down.
Anyway, I'm using SNAT as the pool members are not on the same VLAN as the LTM. We're also using a simple tcp health monitor on port 515 to determine service health. Everything seems to be working. I didn't have to do a lot of the extra effort I noticed many others went through on the articles I read here on DevCentral.
We went with priority groups as the goal was to understand which printer would get any given pick slip out of our ERP print jobs, so we're not running around the warehouse looking for the printer where a job may have been sent. I'm not uber-thrilled with the health monitor, and have seen some WMI-type monitors that might come in useful.
I guess I'm wondering why I didn't have to deal with all the trouble many others have had? Are my print servers misconfigured, or do those registry changes only come into play when using nPath routing?
I think some of the confusion is in the objective. Some just need to send a print job to a load balanced print server. Others need end users to be able to map to print queues, download drivers, print, etc. Also every environment is different. I'm sure that is a factor as well. I'd strongly suggest using the WMI monitor. The TCP port check just isn't sufficient, or at least wasn't for us. I posted a link to the how-to a few years ago, but it looks like the site update broke it. I'll try to find it again. Believe it or not, I still have my Win2K print server VIP (NPath) in production as well as the Win2K8 print Server VIP (standard). They are both rock solid. I will say if bandwidth might be an issue, I'd go with Npath. But we haven't had a print server outage in years with either vs. multi-hour outages using Windows Print Clustering previously.
Thanks Chris, this is a really helpful clarification. I'll look into WMI, as I vehemently despise TCP monitors for most apps in general. 🙂 Our print server jobs are all local site LAN traffic so bandwidth should not be an issue. Also, our print servers are all running Win2k8. If you can find the WMI link that would be cool, and if you might be able to share any details on how you've configured your WMI monitor to keep tabs on print services, I'd love to see how you've done it!
Here's the new link to the guide for creating the WMI monitor. As I recall it was pretty straightforward. I'm even using the same interval and timeout. Looking at my monitor properties, the only thing I see that is different is my alias service port is 3389 and the external program path is /usr/bin/monitors. Also, you'll need to enable remote WMI requests on the win2k8 boxes if not already enabled.
Something interesting I found yesterday while trying to get our Optio app printing to the 2008 print server VS, the print jobs were erroring out with an error code 5. This is indicative of a permissions issue. Per Optio, the fix for 2003 server is to change local security policy to allow everyone permissions to apply to anonymous as the jobs are created by the system account on the Optio server and are treated as anonymous by the remote print server. This fix wasn't working in 2008 and Optio support was at a loss. After a bit of digging I found that you must also edit the "named pipes that can be accessed anonymously" local security policy to include SPOOLSS. After making this change, the jobs started printing successfully.
I hope someone may find this info useful as I wasn't finding much myself while trying to figure this out.
Here's another print problem I've been noodling on for the last couple days and just figured out. Anonymous jobs going to zebra print queues (on 2008 R2) would spool, but not print. Anonymous has access to spoolss, so what could be the problem? It turned out to be driver isolation. With driver isolation enabled the drivers run in their own protected process, not the spooler process. I disabled driver isolation for the problematic driver and anonymous jobs started printing. That was an interesting one.
Is there anyway you can send me some screenshots of the settings on your VS ? I see a couple of replies back that Brian Mayer says he just did a standard vs with snat, but id also like to do the same thing with priority groups, even though I'm not sure how to do this so if you or Brian can help me with the priority group settings.
also if you provide me with the wmi string you used to monitor the servers it would be much appreciated.
I am struggling to get a 2016 MS Print Server to sit behind the F5.
I have followed a number of different threads and posts from multiple load balancing sites, but have yet to come to the proper solution. In our environment, we need to be able to map to the individual printers. I am able to get the configuration as far as being able to start mapping a printer \\printserver\printername but when I click next, I just get an error. And if I click browse, there are no printers to select.
I have done multiple registry changes, enabled and disabled NetBios, and a bunch of other things. I am hoping that there is someone here who might be able to further assist me with this project.
As an additional update, it does not matter if I use the NPath iApp or build a virtual server. If I map to the printer directly through the print server, I have no issues, when trying to map through the F5, either via NPath or virtual server, I get an error on the Print Server using Wireshark stating, OpenprinterEx reponse, invalid printer name. it doesn't matter if I add it through the VIP or DNS name, I always get this issue.
